I recently noticed that while using Defender for Cloud Apps, all the endpoint indicators tied to our cloud discovery apps were wiped from our URL list around 10:00 GMT. We had thousands of these indicators, mainly from cloud apps, and now all that remains are our manual exclusions. I understand that Defender can remove indicators if they haven't been used for a while, but many of these were accessed daily, so it seems weird for them to all disappear at once. Enforce app access is still on, but in the audit logs, there are only a few DeleteIndicator operations logged, which doesn't explain the complete removal. Has anyone else faced this issue? I could not find any related information online at the moment.
8 Answers
We're seeing something similar—every app suddenly showed a risk score of zero, causing our policies to block them all. When I contacted Microsoft, they insisted there were no reported issues and suggested logging it through their portal. So frustrating! 🤦♂️
Yup, feeling the impact as well here. Everyone's on edge about it.
Yep, I raised a P1 ticket with Microsoft, and it turns out this is a global outage affecting many users.
Did you get any updates or resolutions about the global outage?
I had the same problem around 11:30 pm EST. It resulted in all cloud apps dropping to zero score, and our policies blocked everything as a result. We managed to remove the unsanctioned tags, but all websites remain blocked. Any suggestions?
Try disabling the policy. Manually bulk remove the tags and give the Microsoft systems a bit of time to catch up. It took us about three hours, but some sites are slowly coming back. Still no word from MS on what caused this.
Same issue here! It’s really annoying.
Good ol’ Microsoft and their "included" products. Maybe it’s time to invest in CrowdStrike instead.
We’re having the same issue with our unsanctioned policy that flags apps with a risk profile under 6. It incorrectly flagged many crucial apps such as Azure and Chrome. Anyone else experiencing troubles with Zscaler as well? Not sure if this is a Zscaler issue or linked to Microsoft's policies blocking apps.
Did anyone notice a health issue reported regarding Cloud Apps a few hours ago? Let me know if you need the issue number!
The fix we received from Microsoft was to check the M365 Security Portal—go to Settings > Cloud Apps > Microsoft Defender for Endpoint. There's a checkbox to turn the integration on or off. We recommend turning it off for now until the situation is stable. This allowed us to get back up and running without disabling Defender for Endpoint itself.
Interesting, thanks for sharing that info!
We reported too, and they said everything was fine. What gives?